Biden Signs New Cybersecurity Order

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US government’s procurement power to improve cybersecurity practices industry-wide.

Some details:

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents­—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

More information.

Tags: , ,

Posted on January 20, 2025 at 7:06 AM15 Comments

Comments

bw January 20, 2025 10:06 AM

Sure sounds like good news. I’m not one to ask for government meddling, would much prefer the industry fix these problems themselves. It has certainly become clear that the industry isn’t likely to change.

Maybe this will make my (ISC)2 CSSLP cert worth big bucks soon 😉

Me January 20, 2025 11:59 AM

@bw

This doesn’t seem like government meddling so much as a large customer updating a requirement.

I would think even the freest of free-market folks ought to appreciate the government’s right to require vendors to meet their spec.

Aaron January 20, 2025 4:25 PM

More bureaucracy to make the process more “efficient”!

What will happen is the already burdensome (because of over-regulation) process almost immovable and less functionally useful all while continuing to punish the companies who are actually trying to a point of not wanting to try.

It’s a “The beatings will continue, until moral improves” regulation.

Jan Willem January 21, 2025 2:58 AM

This order from Biden is just for show. With the new president and his advisor Musk this order wel be withdrawn immediately (or very soon). The new president has already told that he will withdraw most of the presidential orders from Biden.

Bro January 21, 2025 4:12 AM

Re section 2. Burden will be on the companies to ensure no 3rd party vulnerabilities are present in their software which would normally drive the software price up but in the short term this will not be the case as the government is not going to pay more for the‘same’ software. It might ultimately cause some government software suppliers to look for alternative markets or go out of business altogether

Clive Robinson January 21, 2025 5:25 AM

@ Aaron,

Did you miss,

“an array of mandates for protecting government networks

As a customer “putting out to tender” in a “free market” “Competitive bidding process” the US Government is entitled to set a specification by which those who “chose” to bid for and undertake work should comply with.

If companies chose not to “bid” because they do not want to meet the specification that is their choice, nobody is forcing them to.

I get the feeling you don’t want to understand the basic facts of life.

Winter January 21, 2025 5:29 AM

@bw

I’m not one to ask for government meddling, would much prefer the industry fix these problems themselves.

In my memory, there are not many examples of Industry Fixing a Health or Safety Problem for consumers without government “incentives”.

Mystified January 21, 2025 6:06 AM

How come Biden signs an executive order right before leaving office that imposes a bunch of short deadlines on various government agencies to do things like plan for PQC?

Seems like a cynical political move to stymie the new administration much more than strengthening the US’s cyber posture. If it was so important to Biden, why wait till now?

ResearcherZero January 22, 2025 1:49 AM

@Mystified

Maybe he wanted to ensure a few things got taken care of during the transition and that outstanding issues were not shoved in some bottom draw to be forgotten about?

It’s a great opportunity during the window of changing teams for foreign adversaries to learn as much as possible about incoming teams and take advantage during the confusion.

‘https://media.ccc.de/v/38c3-breaking-nato-radio-encryption

ResearcherZero January 22, 2025 2:56 AM

Politicians and many within their offices, are not very technically minded. You could warn that attacks are taking place all the time on networks and that telecoms are frequently targeted, but they may not listen until their own devices/communications are breached. Also, hypothetically at least, if you were to explain that two groups, political parties for example, were going to be played off against one another then it’s unlikely again that they would listen – playing into adversary hands. When busy or rushed they may install insecure devices with known vulnerabilities, or engage in practices that are unadvised.

papers

Breaking HALFLOOP-24

‘https://iacr.org/cryptodb/data/paper.php?pubkey=32414

Destroying HALFLOOP-24 (improved attack)

‘https://eprint.iacr.org/2023/1314

ResearcherZero January 22, 2025 2:59 AM

And yes, there was response from NATO to the researchers who disclosed the vulnerabilities.

ResearcherZero January 22, 2025 9:42 PM

Some of those companies that bid for government contracts also operate commercially. They concentrate on billing, service provision and content delivery. Privacy and security is often something that is taken care of later on once it becomes a widespread issue. Many services are delivered over mobile service delivery, with privacy and security handling at the network layer. This service delivery produces a very large amount of location data.
Many of the telecom privacy and security issues that still exist today date back 20 years.

ResearcherZero January 22, 2025 10:05 PM

I sort of remember something like this happening a few weeks ago?

“A ninth U.S. telecom firm has been confirmed to have been hacked as part of a sprawling Chinese espionage campaign that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans,” says the White House.

The mobile network does have new features, but it is still the same 20 year old network.

OFAC, CFIUS and the Treasury were also breached, which handle and investigate information about foreign investments in commercial businesses and real estate near US bases. More than 400 laptop and desktop computers, focused on sanctions, international affairs and intelligence were breached. Though the data accessed was apparently not classified. It might however reveal who was being investigated, with some of what investigators knew.

Clive Robinson January 23, 2025 5:03 PM

@ ResearcherZero,

Re ALE and breaking of HalfLoop.

I would not read to much into it.

Because “Automatic Link Establishment”(ALE) protocol is not a security or even privacy protocol.

It’s purpose is to speed up HF Radio “link establishment” due to changes in “propergation” due to changes on the ionosphere caused by the Sun’s emissions. As this generally is only a concern for “long haul HF” using multiple skips to get a quarter or more around the globe ALE’s use is not what it once was (and you can pick kit up on the “Gov Surplus” market fairly easily.

Basic “Electronic Warfare”(EW) from just “passive spectrum monitoring” will almost as quickly get the same results as breaking the encryption algorithm.

As with many things ALE is a trade off, is based on “speed of link establishment”, “ease of use” v overall “system security”.

For a voice based communication ALE selects a channel “dynamically” in one of only a very few “channels” maybe ten or so in the 2-45MHz range. Which channel is most likely to be picked can be usually guessed anyway as the state of the ionosphere is usually,

“Known to friend and foe alike”

The problem with ALE is when used with “Low Probability of Intercept”(LPI) equipment. Because usually ALE is very far from stealthy

If you want to know more about ALE in it’s basic forms, do a DuckDuck for,

Bonnie Crystal ALE

And you will get this link,

https://hflink.com/

Amongst others and you will see little has changed on it in nearly the last decade or so (you will see a fair bit of DOS software still there).

The original point of ALE was to make use of HF Radio about as simple as a “field telephone” where you pick up a handset and press a button or twirl a hand crank to alert the person at the other end. Which is why it was used in “the outback” and similar to contact the flying doctor etc.

The idea was to remove the need for having experienced thus valuable radio techs at either end ensuring that the a link was kept open where possible for technically low level “field operatives”.

Thus “security” was not built in from the get go.

For my sins I have to use ALE occasionally for “Engineering Order Wire”(EOW) activities to chat to “out station” operators beyond normal “terrestrial telecommunications” if and when there are technical issues. Mostly this is done as “clear text communications” not “Link Encrypted”(LE).

But the fact is the likes of StarLink at around $50/month for high bandwidth data comms is removing the use of HF comms for all but “dire emergency” situations.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.